You mean the configuration from /etc/apparmor.d/usr.bin.firefox? It looks very explanatory.
–
LekensteynMay 9 '11 at 13:13

@Lekensteyn, no I do not know how to read it. And sorry about the new question, I posted it mistakenly after I couldn't find my own question.
–
OxwiviJun 27 '11 at 18:56

It would be better if you had studied the syntax and then asked some more specific questions. There's plenty of documentation online. You can't expect anyone to explain the profile line by line. wiki.ubuntu.com/AppArmor
–
arrangeJun 28 '11 at 8:10

@arrange, I was hoping someone would. :) You can't expect every user to learn to effects when considering using it.
–
OxwiviJun 28 '11 at 8:16

@Oxwivi: I get your point, but right now there are 618 lines in FF-related apparmor profile files...
–
arrangeJun 28 '11 at 8:28

The rest of the file are mainly directories, files and libraries with sometimes some parameters in front (like PROC and HOME which seem easy to understand) and regexes to make it more flexible and sometimes a 'deny' or 'owner' in front of the line (these seem to be self-explanatory to me: they deny access and limit actions in case it is the owner doing them).

See Access Modes, Rule Qualifiers, and #include mechanism in the man page...

man apparmor.d

The man page explains it pretty verbosely. Regarding your question about @{PROC} there are variables which can be set within include files. From the apparmor.d(5) man page...

Some of the abstractions rely on variables that are set in files in
the /etc/apparmor.d/tunables/ directory. These variables are currently
@{HOME} and @{HOMEDIRS}. Variables cannot be set in profile scope;
they can only be set before the profile. Therefore, any profiles that
use abstractions should either #include <tunables/global> or otherwise
ensure that @{HOME} and @{HOMEDIRS} are set before starting the
profile definition. The aa-autodep(8) and aa-genprof(8) utilities will
automatically emit #include <tunables/global> in generated profiles.

If you look in /etc/apparmor.d/tunables/global you'll see there's another #include <tunables/proc>. The contents of that file is....